This week we have six vendor disclosures from ABB, Bosch, Belden, WEIDMUELLER, PulseSecure, and Siemens. We have two vendor reports on products from Sela.
ABB Advisory
ABB published an advisory describing an unauthenticated crafted packet vulnerability in their AC500 V2 PLCs. The vulnerability was reported by Yossi Reuven of SCADAfence. ABB has a new firmware version that mitigates the vulnerability. There is no indication that Reuven was provided an opportunity to verify the efficacy of the fix.
Bosch Advisory
Bosch published an advisory describing two vulnerabilities in their Bosch Fire Monitoring System. The vulnerabilities are self-reported. Bosch has a patch that mitigates the vulnerabilities.
The two reported vulnerabilities are:
• Use of hard-coded credentials - CVE-2020-6779,
and
• Use of password hash with insufficient computational effort - CVE-2020-6780
Belden Advisory
Belden published an advisory describing a firewall bypass vulnerability in their WLAN (HiCLOS) products. The vulnerability is self-reported. Belden has updates available that mitigate the vulnerability.
WEIDMUELLER Advisory
CERT-VDE published an advisory discussing the fdtCONTAINER vulnerability in the WEIDMUELLER WI Manager. WEIDMUELLER continues to work on mitigation measures for this vulnerability.
PulseSecure Advisory
PulseSecure published an advisory discussing a third-party (OpenSSL) null pointer dereference vulnerability in their products. They can report that their Pulse Secure vADC is not affected, but they are still looking at other products.
Siemens Advisory
Siemens published an out-of-zone advisory discussing the DNSpooq vulnerabilities in their SCALANCE and RUGGEDCOM Devices. Siemens has provided generic workarounds to mitigate the vulnerabilities pending further development efforts.
Selea Reports
Zero Science Labs has published a report
describing a cross-site scripting vulnerability in the Selea CarPlateServer.
Zero Science reports coordinating with Selea but is unaware of any mitigation
measures developed by the company. LiquidWorm has published an exploit
for this vulnerability.
Zero Science Labs has published a report
describing a privilege escalation vulnerability in the Selea CarPlateServer.
Zero Science reports coordinating with Selea but is unaware of any mitigation
measures developed by the company. LiquidWorm has published an exploit
for this vulnerability.
No comments:
Post a Comment